Versions Compared

Old Version 42

changes.mady.by.user Ian Young (iay.org.uk)

Saved on

compared with

New Version 43

changes.mady.by.user Ian Young (iay.org.uk)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Updates for v8 deployment

...

  1. Silently remove all imported entities with XML attribute mdrpi:RegistrationInfo[@registrationAuthority='https://incommon.org']
    1. Entities so marked must come from primary sources only.
  2. Remove (and log the removal of) the following XML elements (not entities):
    1. <mdui:Logo> elements (not entities) with a URL that is not HTTPS-protected
  3. Silently remove the following XML elements (not entities):
    1. all MDUI metadata (e.g., mdui:UIInfo elements) within AttributeAuthority roles.
    2. all entity attributes on the Entity Attribute Blacklist (see subsection below).
    3. all extended XML elements and attributes defined in namespaces not on the XML Namespace Whitelist (see subsection below).
  4. Remove (and log the removal of) all imported entities matching one or more of the following conditions:
    1. Entities with an entityID that does not begin with one of the following prefixes: “http://”, “https://”, “urn:mace
    2. Entities with weak keys (which includes all keys less than 2048-bits in length)
      1. The use of weak keys in metadata has security and privacy implications.
      2. There are no weak keys in InCommon metadata and so we'd like to keep it that way.
    3. IdP entities with a faulty <shibmd:Scope> element
      1. Require regexp attribute on <shibmd:Scope>Disallow <shibmd:Scope regexp="true">
      2. Values which do not represent a permissible scope:
        1. non-regexp scopes which do not represent valid domain names, or which represent "public suffix" domains,
        2. regexp scopes which do not incorporate a "literal tail" which represents a valid, non-public-suffix, domain name.
    4. IdP entities with an endpoint location that is not HTTPS-protected
    5. IdP entities that do not have a SAML2 SingleSignOnService endpoint that supports the HTTP-Redirect binding.
      1. In effect, all imported IdPs must support SAML2.
    6. SP entities that do not have at least one SAML2 AssertionConsumerService endpoint that supports the HTTP-POST binding.
      1. In effect, all imported SPs must support SAML2.
    7. Entities containing literal CR characters.
    8. Entities containing misplaced or duplicated EntityAttributes elements.
    9. Entities containing XML failing schema validation.
    10. Entities that do not conform to the SAML v2.0 Metadata Profile for Algorithm Support Version 1.0
    11. Entities that do not follow standard rules regarding Binding values on protocol endpoints in metadata
    12. Entities that do not conform to the SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0
    13. Entities that do not conform to the Identity Provider Discovery Service Protocol and Profile
    14. Entities that do not conform to the Service Provider Request Initiation Protocol and Profile Version 1.0
    15. Entities that do not conform to the SAML V2.0 Metadata Interoperability Profile
    16. Entities that do not conform to the SAML V2.0 Metadata Extensions for Registration and Publication Information Version 1.0
    17. Entities that do not conform to the SAML V2.0 Metadata Extensions for Login and Discovery User Interface Version 1.0
    18. Entities that do not conform to the REFEDS Research and Scholarship Entity Category
    19. Entities that do not conform to the REFEDS SIRTFI specification
    20. Entities that do not conform to the SAML V2.0 Metadata specification
    21. SP entities with an endpoint location that is not HTTPS-protected
    22. Entities that do not conform to the ADFS Metadata Profile
    23. Entities that have inconsistent metadata for SAML 1.x support
    24. Entities that have errors in their RequestedAttributes elements
  5. Silently remove all imported entities that have the same entityID as an existing entity in the InCommon aggregate.
    1. This happens because some SPs choose to join multiple federations.
    2. Dozens of global SPs are filtered by this rule.

...

Entity Attribute Blacklist

Name
Value
http://macedir.org/entity-categoryhttp://id.incommon.org/category/registered-by-incommon
http://macedir.org/entity-categoryhttp://id.incommon.org/category/research-and-scholarship
http://macedir.org/entity-category-supporthttp://id.incommon.org/category/research-and-scholarship
urn:oasis:names:tc:SAML:attribute:assurance-certificationhttp://id.incommon.org/assurance/bronze
urn:oasis:names:tc:SAML:attribute:assurance-certificationhttp://id.incommon.org/assurance/silver

XML Namespace Whitelist

NamespacePrefix
urn:oasis:names:tc:SAML:metadata:algsupportalg
http://www.w3.org/2000/09/xmldsig#ds
urn:oasis:names:tc:SAML:2.0:profiles:holder-of-key:SSO:browserhoksso
http://id.incommon.org/metadataicmd
urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocolidpdisc
urn:oasis:names:tc:SAML:profiles:SSO:request-initinit
urn:oasis:names:tc:SAML:2.0:metadatamd
urn:oasis:names:tc:SAML:metadata:attributemdattr
urn:oasis:names:tc:SAML:metadata:rpimdrpi
urn:oasis:names:tc:SAML:metadata:uimdui
http://refeds.org/metadataremd
urn:oasis:names:tc:SAML:2.0:assertionsaml
urn:mace:shibboleth:metadata:1.0shibmd
http://www.w3.org/2001/04/xmlenc#xenc
http://www.w3.org/XML/1998/namespacexml
http://www.w3.org/2001/XMLSchema-instancexsi

...